Darin Fisher, network supremo, has pulled it out of the bag and come up with a less drastic short-term solution to the IDN problem. It has just been checked in for all three upcoming releases. Read about it over in bug 282270, but basically IDN will still work, but all occurrences of IDN domains in the browser UI (URL bar, security info etc.) will be the punycode form. There is a pref to re-enable full IDN - set "network.IDN_show_punycode" to false. As with the previous plan, this preference will be set to true in all official builds.

As I've said in previous blogposts, turning off IDN entirely was always an suboptimal solution, and I'm very pleased we've managed to find a third way. The search goes on for something better long-term - I'm sure you'll all agree that, while showing the punycode domain all the time solves the immediate spoofing problem, the fewer browsers out there that do it, the better.